The Cybersecurity and Infrastructure Security Agency (CISA) today published an updated, second version of its Zero Trust Maturity Model that is guiding Federal agencies and other organizations along the path to adopting zero trust security architectures.

The updated maturity model benefits from public comments that CISA received through a proceeding initiated in 2021, and also its experience in helping other Federal agencies undertake their zero trust security migrations over the past year and a half.

Among the biggest changes from the initial version, the updated maturity model expands the range of maturity stages from three to four, by incorporating a new “initial” stage; the four stages now framed in the updated maturity model are: Traditional, Initial, Advanced, and Optimal.

CISA said it added the additional stage in recognition that “organizations begin their journey toward zero trust architectures from different starting points.”

“CISA has also added several new functions and updated existing functions to consider when organizations plan and make decisions for zero trust architecture implementation,” the agency said. 

“CISA has been acutely focused on guiding agencies, who are at various points in their journey, as they implement zero trust architecture,” said Chris Butera, Technical Director for Cybersecurity at CISA. 

“As one of many roadmaps, the updated model will lead agencies through a methodical process and transition towards greater zero trust maturity,” he said. “While applicable to federal civilian agencies, all organizations will find this model beneficial to review and use to implement their own architecture.”   

CISA added that the “updated maturity model provides a gradient of implementation across the five distinct pillars to facilitate implementation, allowing agencies to make minor advancements over time toward optimization of zero trust architecture.” The five pillars in the maturity model are identity; devices; network; data; and applications and workloads. 

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.